Re: CSP, Fetch, and frame-ancestors

On Wed, Jun 4, 2014 at 9:42 AM, Mike West <> wrote:
> Well, there's already a lot of magic hidden away in
> All of
> the TLS-handshake, for instance. I don't know what level you'd like Fetch to
> dive down to.

I'm assuming that is defined by the TLS/HTTP specifications. Roughly
what Fetch is doing is defining the missing parts between APIs and
getting a resource out of a URL.

> Frame ancestors seems like something we could reasonably include in Fetch
> (perhaps by pointing to a new hook in CSP, and passing in the request and
> response). I'm not really sure where to stop, however. At some point we
> reach the transport layer, which doesn't seem like what Fetch should be
> concerned with. I guess there's a stopping point somewhere between those
> two.

I don't see how it's lower than Fetch by the way. You need to process
all headers before you know if you're going to follow a redirect. So
it seems like you would know this around step 10 of

I was just thinking that since you need to know something about the
element and its ancestors, a hook in HTML might be more appropriate.


Received on Wednesday, 4 June 2014 07:55:28 UTC